Wednesday, November 14, 2007

Is virtual keyboard been considered?



Phishing is an attack where the attacker sends a mail making it look as if it has come from a bank or a financial institution and lures the victim into entering his sensitive information.

Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses.

5 comments:

  1. Virtual keyboard is a very useful feature. Some security programs apply it. It's even said that it may protect against hardware keyloggers. I'm running the kind of security program (PrivacyKeyboard) which allows to enter sensitive data with virtual keyboard and I should say it's pretty effective.

    ReplyDelete
  2. Virtual keyboards do not increase security at all under any circumstances.

    In the case of a phishing attack, you are using the attacker's virtual keyboard on the attacker's website. The only reason he created one in the first place was to fool you into thinking it was your real bank.

    As far as keyloggers are concerned, if a keylogger can tell what keys you are pressing on your keyboard then it can tell where you are clicking with your mouse.

    Software based keyloggers can also take screen shots every time you click (while browsing a bank website) and record the coordinates that the mouse was pointing at.

    Hardware based keyloggers can't take screen shots but seriously, if you have a hardware based keylogger, you have already lost. They will have already detected your login password and will be able to install a software keylogger.

    ReplyDelete
  3. Hi Dave,

    When I was speaking about the virtual keyboard in connection to security, I meant the feature of the program I'm running,i.e. PrivacyKeyboard. It's a reliable anti-keylogger and it's virtual keyboard does protect from hardware keyloggers, because the protection starts with the system startup and you're able to enter your account's password without being captured by a hardware keylogger. Besides while you're using mouse to enter some information with virtual keyboard the program does not stop its general protection and a software keylogger is not able to intercept the mouse clicks. PrivacyKeyboard also prevents keyloggers from taking screenshots. I'm not a trustful person, I've tested the software before installing and I'm using it for quite a time, so these are not just statements, this is experience.

    Of course you're right saying that durring a phishing attack you may be tricked to use the vitrual keyboard on the attacker's site thinking that it was your bank, then nothing helps, but entering the password with the virtual keyboard of the software like PrivacyKeyboard can guarantee high chances to stay secure( it's well-known that noone can guarantee 100% safety).

    Regards,
    Andy.

    ReplyDelete
  4. Dave & Andy: Thanks for your comments. Even my personal perception of this idea of virtual keyboard has been insecurity. I appreciate the issues brought by Dave and feel these concerns make virtual keyboard not mature enough to cater phishing attacks

    ReplyDelete
  5. . NOOB

    this will not help u, phishing page sends all ur inof. even if u write somtetihng. & about Trojans on ur PC.. they can even send ur catch.. now say wht u wana say abt Virtual keybord.. LOL

    www.warrock-hacks.com

    ReplyDelete